Thursday, June 10, 2010

It's been a bad week for Apple. First the wifi choked at Steve Job's iPhone 4 demo at WWDC. And now Gawker has reported that AT&T inadvertently leaked the email addresses of 114,000 iPad purchasers.

It should come as no surprise that the culprit here is a web application vulnerability. According to a story on Slashdot, a web service that was supposed to provide an AJAX-type response within AT&T's web apps was left exposed externally. Oops.

A lot of big name people are going to be pissed off. The celebrities on the list are not going to be happy about having their email address in the papers. And public officials who expensed the iPad will (or at least should) have some serious explaining to do as to why the taxpayer needs to subsidize their new toy.

Email addresses can be changed. But the leak also exposed something called the ICC-ID, a number that uniquely identifies a device's SIM card.

At the time of writing (night time EST 6/9) there is still no official announcement on what is going to happen with the leaked identifiers. My guess is that they can't be reliably changed without a manual recall. This raises privacy concerns for the affected users, since ICC-IDs are relatively liberally shared during the course of network communications.

But in the end it doesn't really matter. Using an iPad or an iPhone already binds your personal information to your web traffic in a much deeper way than your old fashioned Mac or PC. After all, most iPhones are full of apps that tie your real actual personal data - your name, credit card, address, etc to your device. iTunes works the same way. And unlike a full blown computer, iPhones and iPads afford very little GUI control of what is happening in the background. You could of course gain control through jail breaking. But that's not the MO of 99% of users, and violates the terms of service to boot.

I don't mean to justify the leak - users have a reasonable expectation that their personal information is not totally exposed for the world to see. But when you use an iPhone or iPad, you need to realize that your personal data is lurking in thinly veiled form in countless transaction and traffic logs. Although the 114,000 folks whose ICC-IDs are now public domain are slightly more at risk than the rest of us, it is not as though everyone else was operating in anonymity. The AT&T incident demonstrates that on rigid mobile platforms everyone's traffic is just one badly configured web service away from exposure.

It is amazing how quickly mobile communications has gone from the most secure to the least anonymous form of communication. Mobile security has a special place in my heart since the days I served as one of the dozen-odd members of the ETSI Secure Algorithm Group of Experts that standardized the GSM and UMTS encryption algorithms in the first half of the last decade. Back then it was easy - security derived from cryptography, and mobile Internet usage was barely getting off the ground. Today the underlying strength of the mobile cryptographic algorithms is almost irrelevant to most practical attacks. And anonymity is essentially impossible to achieve on devices locked down by both the manufacturer and the operator.

With a brick and mortar PC that connects to networks the old fashioned way, there is a certain default anonymity that even non-technical users can achieve. On locked down mobile devices - where Steve Jobs decides what applications can run and how - a user's identity is at best protected by a myriad of minimalistic authentication mechanisms. For most users, it is worth trading robust privacy in the interest of a rich user experience. That's why millions of users (myself included) own iPhones. But it also means that when the inevitable data breaches occur, there is a lot more information potentially at risk.

Tuesday, June 8, 2010

Napera networks announced yesterday the availability of what appears to be the first systems management application in the Google Apps Marketplace.

Google Apps Marketplace was launched in March of this year and is exactly what the name implies - a place to buy and install apps that integrate directly with Google Apps. Most of the 45 offerings currently listed in the Security and Compliance category are related to email security. This makes sense since email is the most popular Google Apps product.

Napera's PC Security Informer is trailblazing as the first security management offering in the Google Apps Marketplace (there are of course plenty of competing cloud security management offerings like for example Shavlik PatchCloud).

Does buying security management from the Google Apps Marketplace make sense?Luckily for Napera, the usual cloud security FUD will not hold much water with its potential Google Apps Marketplace customers. The small and medium sized businesses that are the target market for Napera's PC Security Informer have already moved big chunks of their infrastructure to the cloud. Since the data is already in the cloud, there is no reason that the security to protect that data shouldn't be in the cloud as well.

The bigger issue for most businesses will be business control, customization, privacy policies, and SLA's. Moving apps to a platform-as-a-service infrastructure is scary from a can-I-get-someone-on-the-phone-when-the-^%&$^-hits-the-fan perspective. And for applications deployed within Google Apps, there are multiple vendors to deal with. When you use a cloud-built-on-a-cloud service like Napera PC Security Informer, you are dependent on both Napera and Google for everything to run smoothly.

The litmus test for the success of any app in the Google Apps Marketplace is whether the integration advantages outweigh the lock-in. The biggest competition for Google Apps Marketplace security products will come from competing hosted solutions. With third party hosted solutions, what you lose in Google Apps integration might be gained back in control and peace of mind.

A challenge for Napera in driving adoption of the PC Security Informer is the nature of the Google Apps customer base. With 25 million users spread over 2 million businesses, the typical Google Apps customer is a ten-guys-working-virtually type of company. Those organizations are not in the market for systems management. Many of the larger companies using Google Apps are still dipping their toes in the water. Those companies are unlikely to realize much advantage in the tight integration with the rest of their Google Apps domain that is the main value added of the app approach.

I haven't used the product, but it would certainly be interesting to hear from someone who has. Which brings me to a plug for Security Scoreboard, the vendor review site for the security community. If you are a current customer of Napera Networks, please share your experiences on Security Scoreboard and help the rest of the community evaluate this vendor.

Monday, June 7, 2010

On the heels of Apple's very public tussle with Adobe over Flash support on the iPad, Adobe announced a "critical vulnerability" in Flash on Friday.

Vulnerability announcements happen all the time. For better or worse, the nature of today's software industry is to build first and repair later. But its been months since Flash experienced a security issue of this scope. And the timing is not good for Adobe, as Steve Jobs specifically mentioned Flash security issues in his "Thoughts on Flash" manifesto in April. With the major media players deciding what graphics and animation standards to support, Flash is under the microscope.

I don't think security usually determines winners and losers in the mass market/desktop environment. But there are rare occasions when the cumulative perception of security vulnerabilities coupled with lingering privacy issues can form a tipping point in the fortunes of a technical standard or company. Many companies are immune to this phenomena due to a lack of alternatives (for all the user outrage, Facebook is not about to be upended by fledgling alternatives like Diaspora anytime soon). But with HTML5 and other open web based standards based offering competing functionality, a series of badly handled security vulnerabilities would not augur well for the future of Flash.

Incomprehensible warnings

Miscommunicating vulnerabilities like the one announced on Friday can fall into this straw-that-broke-the-camel's-back. At the time of writing (Saturday night June 5th) the Adobe announcement does not make clear that all users running current versions are vulnerable and that there is no available fix. Instead, Adobe published that anyone running Flash version 10.0.45.2 or earlier is at risk. Since there is no version 10.0.45.3, that basically means that by default everyone is potentially vulnerable. Since most non-RainMan users do not have the version numbers of their installed programs memorized, this should have been more explicitly spelled out in plain English. A more technical explanation could have been included to parse out which installations exactly are at risk.

But even more troubling for the average user is the lack of a viable fix. Adobe has announced that this vulnerability is being exploited in the wild (again an incomprehensible term for most users…). There appears to be no available patch for the Flash vulnerability. And for the accompanying Reader and Acrobat vulnerabilities the solution is to remove the authplay.dll component that ships with the product. How many users know what a dll is?

Of course Adobe isn't alone in producing vulnerability announcements that are inactionable for most users. And this announcement is far from the worst. My unscientific thumb-in-the-wind estimate would give this a B or B- for clarity on a weighted curve with other major software vendors. But even more problematic and potentially more damaging to Adobe's long term perch within everyone's browser is the lack of user control over Flash privacy settings.

Flash's privacy exception

Flash has long existed in its own little fiefdom on the desktop, immune to many of the privacy controls applied to browser plugins. But that situation could be ripe for change. When even Facebook's CEO - with the closest thing the planet has to a universal social network - is literally sweating up a storm over users' privacy concerns, more easily replaced plugins like Flash cannot continue indefinitely to fly under the radar.

Until now Flash has somehow gotten a free pass when it comes to user privacy. In response to user demand, all the major browsers include a private browsing mode that does not record cookies and generally does not leave digital fingerprints on the user's computer (earning it its more technical name, porn mode). But Flash doesn't play by this game. Most users are very surprised to learn that Flash cookies persist on their machines long after the user has diligently cleared caches, cookies, and even reset their browsers. The only clue for the average user is the seemingly mysterious way that programs like Pandora still remember them long after they thought they scrubbed their browser clean. Flash may have a webpage where users can theoretically manage their cookies, but I would guess that only a minuscule portion of users are even aware of its existence.

Regardless of whether you think Flash on a website is cool or just annoying, it's hard to get the full web experience without Flash and that's why its installed on 99% of browsers. If Flash were to lose its ubiquity the transition to competing standards could snowball. With so little information available about the latest vulnerability, it is difficult to know whether it is the result of overzealous feature integration at the price of security. But as the ubiquitous incumbent in the web multimedia war of 2010, Flash will be judged - fairly or unfairly - to a higher standard than some of its emerging competitors.